Researching S3 Bucket Properties Data

Analyzing S3 Buckets Properties Search
Results

The following section describes the elements of the search results that appear when
you use
the Research tab to investigate your S3 bucket properties data that
Macie monitors.

Complete the following steps in the Research tab.

Select S3 bucket properties in the first filter dropdown.

For this example, select Top 10 in the second filter dropdown.

For this example, select Past 90 days in the third filter
dropdown.

Choose the button with the looking glass icon to start the search.

Your search results contain the following elements:

The total number of results that matched your
S3 bucket properties data search for the selected time range.

The graphical representation of the S3 bucket
properties data search results for the selected time range.

Note

If your dataset is very large and you specify a very wide time range, your data might
not
render properly, and this graph might not appear as one of the resulting
elements of your search.

Important

You can use the graph to further narrow your search and generate and run a query that
produces a subset of the results generated by your original selections in
the preceding steps. Double-click any of the graph's results, and your
selection is translated into a new query that automatically appears in the
query parser, and the Research tab is refreshed with
the results of this new query.

Search results summary – A list of the most
significant fields from your search. The first line includes the top (or bottom)
three values for each field. The second line includes the top (or bottom) 10
values for each field.

Important

You can use the fields in the search results summary to further narrow your search
and
generate and run a query that produces a subset of the results generated by
your original selections in the preceding steps. Choose the first or the
second line of results for any field, and in the expanded results breakdown,
choose the looking glass icon next to any of the results. Your choices are
translated into a new query that automatically appears in the query parser,
and the Research tab is refreshed with the results of
this new query.

A list of S3 buckets that match your search criteria. Choose any bucket to expand
it and
view its details.

S3 Bucket Properties Data Fields and Example Queries

The following tables include the fields that can appear in the results of your S3
buckets
metadata searches:

The first table includes the fields that Macie extracts from the Amazon S3 bucket
API metadata.
For example, acl.Grants.Grantee.DisplayName in Macie corresponds to
Grants.Grantee.DisplayName in the Amazon S3
getbucket-acl API response.

The second table includes the fields that Macie generates to provide further security
intelligence and context based on the examined S3 buckets metadata. For example,
s3_world_readability describes a true/false/unknown state
condition of whether an S3 bucket is readable by everyone as part of evaluating
its Amazon S3 ACL and bucket (IAM) policy.

S3 Bucket Properties Data Fields That Macie
Extracts

Macie Field Name

Amazon S3 API Field Name

Amazon S3 API Operation

Macie Field Type

Description

Example Search Query

acl.Grants.Grantee.DisplayName

Grants.Grantee.DisplayName

get-bucket-acl

String

The display name of the S3 bucket ACL
grantee.

Search for S3 buckets accessible by John Doe:

acl.Grants.Grantee.DisplayName:"JohnDoe"

acl.Grants.Grantee.ID

Grants.Grantee.ID

get-bucket-acl

String

The ID of the identity that was granted access to the S3
bucket by the bucket owner.